Cyber Resilience

CVE-2025-32756

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 13 May 2025

Published
13 May 2025
Modified
14 January 2026
KEV Added
14 May 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2228 95.9th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32756 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Fortinet Fortindr. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

A stack-based buffer overflow vulnerability, tracked as CVE-2025-32756 and also associated with CWE-787, affects multiple Fortinet products including FortiCamera versions 2.1.0-2.1.3, 2.0.x, and 1.1.x; FortiMail 7.6.0-7.6.2, 7.4.0-7.4.4, 7.2.0-7.2.7, and 7.0.0-7.0.8; FortiNDR 7.6.0, 7.4.0-7.4.7, 7.2.0-7.2.4, and 7.0.0-7.0.6; FortiRecorder 7.2.0-7.2.3, 7.0.0-7.0.5, and 6.4.0-6.4.5; and FortiVoice 7.2.0, 7.0.0-7.0.6, and 6.4.0-6.4.10. The flaw resides in the handling of HTTP requests containing a specially crafted hash cookie and carries a CVSS 3.1 score of 9.8.

Remote unauthenticated attackers can exploit the issue over the network by sending malicious HTTP requests, resulting in arbitrary code or command execution with full impact to confidentiality, integrity, and availability.

Fortinet has published advisory FG-IR-25-254 detailing the vulnerability, while CISA has added CVE-2025-32756 to its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score rose from a low baseline to a peak of 0.4163 on 2026-03-10 before receding to the current value of 0.2228, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

A stack-based buffer overflow vulnerability [CWE-121] vulnerability in Fortinet FortiCamera 2.1.0 through 2.1.3, FortiCamera 2.0 all versions, FortiCamera 1.1 all versions, FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiNDR 7.6.0, FortiNDR…

more

7.4.0 through 7.4.7, FortiNDR 7.2.0 through 7.2.4, FortiNDR 7.0.0 through 7.0.6, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0.0 through 7.0.5, FortiRecorder 6.4.0 through 6.4.5, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6, FortiVoice 6.4.0 through 6.4.10 allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.

CWE(s)
KEV Date Added
14 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortimail
7.0.0 — 7.0.9 · 7.2.0 — 7.2.8 · 7.4.0 — 7.4.5
fortinet
fortindr
1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0 · 7.0.0 — 7.0.7 · 7.2.0 — 7.2.5 · 7.4.0 — 7.4.8
fortinet
fortirecorder
6.4.0 — 6.4.6 · 7.0.0 — 7.0.6 · 7.2.0 — 7.2.4
fortinet
fortivoice
7.2.0 · 6.4.0 — 6.4.11 · 7.0.0 — 7.0.7
fortinet
forticamera firmware
2.0.0 — 2.1.3 · 1.1.0 — 1.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP cookie input to reject oversized or malformed hash values before they reach the vulnerable stack buffer.

prevent

Enforces memory-protection mechanisms (ASLR, DEP, stack canaries) that block reliable exploitation of the stack-based buffer overflow.

prevent

Mandates timely application of vendor patches that eliminate the flawed cookie-handling code in the listed Fortinet versions.

References